To protect against malicious content, intrusion prevention systems (and similarly intrusion detection systems) use an engine to detect signatures of known malicious content. To detect such content, the various communication protocols on the network need to be understood and modeled.
In some situations, such malicious content can be found in a network protocol for which a protocol decoder has already been developed. In these situations it is relatively easy for a response team to quickly respond to a threat by writing a signature that checks appropriate conditions in the parsed protocol.
However, if such a protocol decoder is not available, the response team is not be able to release a signature quickly, because developing the protocol decoder, testing it and then writing a signature takes a relatively long time. Indeed, the amount of time that it takes will likely make any response too late to be of much use.